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Abstract — There have been several approaches to the problem 
of provisioning traffic engineering between core network nodes 
in Internet Service Provider (ISP) networks. Such approaches 
aim to minimize network delay, increase capacity, and enhance 
security services between two core (relay) network nodes, an 
ingress node and an egress node. MATE (Multipath Adaptive 
Traffic Engineering) has been proposed for multipath adaptive 
traffic engineering between an ingress node (source) and an egress 
node (destination) to distribute the network flow among multiple 
disjoint paths. Its novel idea is to avoid network congestion and 
attacks that might exist in edge and node disjoint paths between 
two core network nodes. 

This paper aims to develop an adaptive, robust, and reliable 
traffic engineering scheme to improve performance and reliability 
of communication networks. This scheme will also provision 
Quality of Server (QoS) and protection of traffic engineering 
to maximize network efficiency. Specifically, S-MATE (secure 
MATE) is proposed to protect the network traffic between two 
core nodes (routers, switches, etc.) in a cloud network. S-MATE 
secures against a single link attack/failure by adding redundancy 
in one of the operational redundant paths between the sender 
and receiver nodes. It is also extended to secure against multiple 
attacked links. The proposed scheme can be applied to secure 
core networks such as optical and IP networks. 

Index Terms — MATE Protocol, Network Coding, Adaptive 
Traffic Engineering, Internet Protection and Security. 

I. Introduction 

Several approaches have been proposed for adapting the 
traffic between core network nodes in Internet Service Provider 
(ISP) networks [9], [13], [15]. Elwalid et al. [9] proposed an 
algorithm for multipath adaptive traffic engineering between 
an ingress node (source) and an egress node (destination). 
Their novel idea is to avoid network congestion that might 
exist in disjoint paths between two core network nodes. 
They suggested load balancing among paths based on mea- 
surement and analysis of path congestion by using Multi- 
Protocol Label Switching (MPLS). MPLS is a widely adopted 
tool for facilitating traffic engineering unlike explicit routing 
protocols, which allow certain routing methodology from hop- 
to-hop in a network with multiple core devices. The major 
advantage of MATE is that it does not require scheduling, 
buffer management, or traffic priority in the nodes. 

In this work, we propose a new scheme, Secure Multi- 
path Adaptive Traffic Engineering (S-MATE), that aims to 
protect/secure multiple disjoint paths for network traffic. S- 
MATE enables reliable data delivery and provides protection 

The material in this paper was presented in part at ICC 10, Cape Town, 
South Africa, May 23-27, 2010. Available: arXiv: 1010.4858 




Fig. 1. The network model is represented by two network nodes, ingress node 
(source) and egress node (receiver). There are k link disjoint paths between 
the ingress and egress nodes. The link disjoint multipaths are established by 
using a network management software at the core routers. 



against link and router failures. The main feature of S-MATE 
is that the protection is achieved without retransmitting the 
lost packets or resending the ACK/NACK messages at the 
receivers. The sender keeps sending its data at a regular rate 
once the key fc-disjoint paths are established. In addition, 
the proposed scheme provisions load balancing, meaning that 
the redundant data is distributed fairly among the available 
provisioned disjoint paths. Furthermore, once a certain path 
experiences delay or high risk of failures, the proposed scheme 
is modified to provide quality of service (QoS) traffic engineer- 
ing. The latter scheme is referred to as QoS-S-MATE. 

Several recovery mechanisms against failures are proposed 
to ensure reliability and delivery of transmitted data by the core 
router nodes in the presence of link and relay failures [18], 
[20], [24]. These mechanisms also aim to guarantee the Ser- 
vice Level Agreements (SLAs). Failures of links and routers 
occur due to several reasons such as network component 
imperfections and changes of network topology. However, the 
protection operation is a challenging task because once the 
failure occurs the network traffic has to be rerouted among 
other routers, or delayed in the links for a short period of 
time. Such circumstances are unexpected and challenging for 
the network operators. One way to ensure data delivery is to 
establish backup paths between ingress and egress nodes. 

Network coding is a powerful tool that has been recently 
used to increase the throughput, capacity, and performance 
of wired and wireless communication networks. Information 
theoretic aspects of network coding have been investigated 
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in References [2], [21], [25], and in the list of references 
therein. It offers benefits in terms of energy efficiency, ad- 
ditional security, and reduced delay. Network coding allows 
the intermediate nodes not only to forward packets using net- 
work scheduling algorithms, but also to encode/decode them 
through algebraic primitive operations [2], [11], [21], [25]. For 
example, data loss because of failures in communication links 
can be detected and recovered if the sources are allowed to 
perform network coding operations [7], [12], [14]. 

Multipath Adaptive Traffic Engineering (MATE), which was 
previously proposed by one of the authors of this paper, is 
a traffic load balancing scheme that is suitable for S-MATE 
(secure MATE) as will be explained later. MATE distributes 
traffic among the edge disjoint paths, so as to equalize the 
path delays. This is achieved by using adaptive algorithms. 
MATE has inspired other traffic engineering solutions such 
as TexCP [15] and the measurement-based optimal routing 
solution [23]. In this paper, we will design a security scheme 
by using network coding to protect against an entity who can 
not only copy/listen to the message, but also can fabricate 
new messages or modify the current ones. We aim to build 
an adaptive, robust, reliable traffic engineering scheme for 
better performance and operation of communication networks. 
The scheme will also provision QoS and protection of traffic 
engineering to maximize network efficiency. 

The rest of the paper is organized as follows. In Sec- 
tion II, we present the network model and assumptions. In 
Sections III, IV and V, we review the MATE algorithm and 
propose the secure MATE scheme based on network coding. 
S-MATE against single and multiple attacks is presented in 
Sections VI, VII, VIII and IX. Finally, Section X concludes 
the paper. 

II. Network Model and Assumptions 

The network model can be represented as follows. Assume 
a given network represented by a set of nodes and links. The 
network nodes are core nodes that transmit outgoing packets 
to the neighboring nodes in certain time slots. The network 
nodes are ingress and egress nodes that share multiple edge 
and node disjoint paths. 

We assume that the core nodes share k edge disjoint paths, 
as shown in Fig. 1, for one particular pair of ingress and egress 
nodes. Let N = {N\, N2, ...} be the set of nodes (ingress 
and egress nodes) and L = {L\ hl L 2 lh , ...,L^ h } be the set of 
disjoint paths from an ingress node Nt to an egress node Nh- 
Every path L\ h carries segments of independent packets from 
an ingress node Nt to egress node Nh- Let P % ^ h be the packet 
sent from the ingress node Nt in path i at time slot j to 
the egress node Nh- For simplicity, we describe the proposed 
scheme for one particular pair of ingress and egress nodes. 
Hence, we use P 4 - 7 to represent a packet in path i at time slot 
3- 

Assume there are S rounds (time slots) in a transmission 
session. For the remainder of the paper, rounds and time slots 
will be used interchangeably. Packet P iJ is indexed as follows: 

Packet 1 ^! D N e , X %3 , roundj), (1) 



where ID^ e and X 1J are the sender ID and transmitted data 
from Ni in the path L, at time slot j. There are two types of 
packets: plain and encoded packets. The plain packet contains 
the unencoded data from the ingress to egress nodes as shown 
in Equation (1). The encoded packet contains encoded data 
from different incoming packets. For example, if there are k 
incoming packets to the ingress node A), then the encoded 
data traversed in the protection path Lj h to the egress node 
Nh is given by 

fc 

y j X !'!>:■ (2) 

where the summation denotes the binary addition. The corre- 
sponding packet becomes 

Packet 1 ^ (ID N e ,y J ' , roundj ) . (3) 

The following definition describes the working and protec- 
tion paths between two network switches as shown in Fig. 1. 

Definition 1: The working paths in a network with n con- 
nection paths carry un-encoded (plain) traffic under normal 
operations. The protection paths provide alternate backup 
paths to carry encoded traffic. A protection scheme ensures 
that data sent from the sources will reach the receivers in case 
of failures in the working paths. 

We make the following assumptions about the transmission 
of the plain and encoded packets. 

i) The TCP protocol will handle the transmission and packet 
headers in the edge disjoint paths from the ingress to 
egress nodes. 

ii) The data from the ingress nodes are sent in rounds and 
sessions throughout the edge disjoint paths to the egress 
nodes. Each session is quantified by the number of rounds 
(time slots) n. Hence, tj is the transmission time at the 
time slot j in session 6. 

iii) The attacks and failures on a path Li may be incurred 
by a network incident such as an eavesdropper, link 
replacement, and overhead. We assume that the receiver 
is able to detect a failure, and our protection strategy 
described in S-MATE is able to recover it. 

iv) We assume that the ingress and egress nodes share a set 
of k symmetric keys. Furthermore, the plain and encoded 
data are encrypted by using this set of keys. That is 

x l = Encyptkeyiim 1 ), 

where m, is the message encrypted by the fcey,-. Sharing 
symmetric keys between two entities (two core network 
nodes) can be achieved by using key establishment pro- 
tocols described in [] 7] and [19]. 

v) In this network model, we consider only a single link 
failure or attack; it is thus sufficient to apply the encoding 
and decoding operations over a finite field with two 
elements, denoted as F2 = {0, 1}. 

The traffic from the ingress node to the egress node in edge 
disjoint paths can be exposed to edge failures and network 
attacks. Hence, it is desirable to protect and secure this traffic. 
We assume that there is a set of k connection paths that need to 



SUBMITTED, DECEMBER 2010 



3 




MATE Functions in Ingress LSR 



Fig. 2. MATE traffic engineering at the ingress node. 



be fully guaranteed and protected against a single edge failure 
from ingress to egress nodes. We assume that all connections 
have the same bandwidth, and each link (one hop or circuit) 
has the same bandwidth as the path. 

The benefits of the proposed solutions include the following: 

i) network protection is provisioned, 

ii) recovery is achieved without retransmitting the lost pack- 
ets, 

iii) the sender can transmit at a constant high rate, 

iv) the lost packets are recovered at the receiver online 
without sending an ACK message or notifying the sender 
about the failure, and 

v) the network traffic is not rerouted or delayed. 

III. MATE Protocol 

MPLS (Multipath Protocol Label Switching) is an emerging 
tool for facilitating network traffic and out-of-band control. 
Unlike explicit routing protocols, which allow certain routing 
methodology from hop-to-hop in a network with multiple 
core devices, MPLS balances network traffic. As shown in 
Fig. 2, MATE assumes that several explicit paths between an 
ingress node and an egress node in a cloud network have 
been established. This is a typical setting which exists in 
operational Internet Service Providers (ISP) core networks 
(which implement MPLS). The goal of the ingress node is 
to distribute traffic across the edge disjoint paths, so that the 
loads are balanced. One advantage of this load balancing is to 
equalize path delays, and to minimize traffic congestion [9], 
[10]. 

The following are the key features of the MATE algorithm. 

1) The traffic is distributed at the granularity of the IP flow 
level. This ensures that packets from the same flow follow 
the same path, and hence there is no need for packet re- 
sequencing at the destination. This is easily and effectively 
achieved by using a hashing function on the five tuple IP 
address. 

2) MATE is a traffic load balancing scheme, which is suitable 
for S-MATE, as will be explained later. MATE distributes 
traffic among the edge disjoint paths, so as to equalize the 
paths delays. This is achieved by using adaptive algorithms 
as shown in Fig. 2 and Reference [9] 



3) It is shown that the distributed load balancing (for each 
ingress, egress pair) is stable and provably convergent. 
MATE assumes that several network nodes exist between 
ingress nodes as traffic senders and egress nodes as traffic 
receivers. Furthermore, the traffic can be adapted by using 
switching protocols such as CR-LDP [8] and RSVP-TE [6]. 
An ingress node is responsible for managing the traffic 
in the multiple paths to the egress nodes so that traffic 
congestion and overhead are minimized. 
As shown in Fig. 2, Label Switch Paths (LSPs) from an 
ingress node to an egress node are provisioned before the 
actual packet is transmitted. Then, once the transmissions start, 
the ingress node will estimate the congestion that might occur 
in one or more of the k edge disjoint paths. As stated in 
Reference [9], the congestion measure is related to one of the 
following factors: delay, loss rate, and bandwidth. In general, 
each ingress node in the network will route the incoming 
packets into the k disjoint paths. One of these paths will carry 
the encoded packets, and all other k — 1 paths will carry plain 
packets. Each packet has its own routing number, so that the 
egress node will be able to manage the order of the incoming 
packet, and thus achieve the decoding operations. 

As explained in [9], MATE works in two phases: a mon- 
itoring phase and a load balancing phase. These two phases 
will monitor the traffic and balance packets among all dis- 
joint paths. One beneficial feature of MATE is that its load 
balancing algorithms equalize the derivative of delay among 
all edge disjoint paths from an ingress node to an egress 
node. Furthermore, MATE'S load balancing preserves packet 
ordering since load balancing is done at the flow level (which 
is identified by a 5-tuple IP address) rather than at the packet 
level 

We ensure that the proposed protocol in the following 
section is suitable for Internet traffic such as voice over 
IP (VoIP), multimedia teleconferencing, online gaming, TV 
streams. Such traffic is delay-sensitive and intolerant to late 
packet arrivals. This approach is different from other tech- 
niques for delay-sensitive traffic, including shortest path rout- 
ing, or equal load-balancing splitting among multiple paths. As 
shown in a Cisco manuscript [I], by 2012 video traffic will 
occupy 90% of the total Internet traffic. Hence, techniques 
for delay minimization and online protection against failures 
are needed. Techniques that depend on shortest paths between 
ingress and egress nodes or on retransmitting the lost packets 
appear to be impractical for delay sensitive traffics [22]. 

IV. Protection Using a Dedicated Path 

In this section, we present a Network Protection Strategy 
(NPS) against a single network failure. The single failure could 
be one link or one core node (router or switch) in the given 
network topology. Let x\ be the data sent from the source Si at 
round time I in a session t\. Also, assume yj = Y^i=i i^j x i- 
Put differently, 

%jj = X]_ © X2 © ■•■ © ^i^j © ■ * • © (4) 

The protection scheme runs in sessions as explained below. 
Every session has at most one single failure throughout each 
round. 
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Some network topologies do not allow adding extra paths 
between the ingress and egress nodes. In this case, we propose 
that one of the available working paths can be used to carry 
the encoded data as shown in (5). It shows that there exists 
a path Lj that carries the encoded data sent from the source 
Sj to the receiver rj. 
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All y*'s are defined over F2 as 

y*= E <■ (6) 

Note that the encoded data y^ is fixed per one session 
transmission but it is varied for other sessions. This means 
that the path Lj is dedicated to sending all encoded data 
yj, yj, . . . , y™, for all 1 < j < k. The normalized capacity 
of this scheme is still (n — l)/n. 

Lemma 2: The normalized capacity of NPS described 
in (5) is given by 

C = (ft - (7) 

where k is the number of disjoint paths. 

Proof: We have 11 rounds and the total number of trans- 
mitted packets in every round is k. Also, in every round there 
are (k — 1) un-encoded data x\, xz, . . . x^j, . . . , Xk and only 
one encoded data yj, for all i = 1, . . . , n. Hence, the capacity 
ce in every round is ft — 1. Therefore, the normalized capacity 
is given by 

c= S? = i* = (fc~l)*n (g) 
k * n kn 

■ 

The following lemma shows that the network protection 
strategy NPS is in fact optimal if we consider the field F2. 
In other words, there exist no other strategies that give better 
normalized capacity than NPS. 

Lemma 3: The network protection shown in (5) against a 
single link failure is optimal. 

The transmission is done in rounds, and hence linear com- 
binations of data have to be from the same round. This can 
be achieved by using the round time that is included in each 
packet sent by a sender. 
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(9) 



Encoding Process: There are several scenarios in which the 
encoding operations can be achieved. The encoding and decod- 
ing operations will depend mainly on the network topology; 
how the senders and receivers are distributed in the network. 
The encoding operation is done at only one source Si (ingress 
router). In this case, all other sources must send their data to 
Si, which will send encoded data over Li. We assume that all 
sources share paths with each other. 

V. S-MATE 

We assume that the network management software at the 
router level will compute the available disjoint paths between 
ingress and egress routers given the traffic demands, network 
flow, and capacity of communication links. In addition, it 
determines the network topology, failure locations, and failure 
causes. The proposed protocols will minimize congestion in 
the network operation in the presence of failures. We can 
also use one of the methods proposed in [22] to compute the 
available multiple disjoint paths and be aware of the routers' 
conditions. 

Traffic splitting in MPLS is deployed in today's routers [18]. 
This is also done in a flexible way such that packets be- 
longing to the same traffic or coming from the same IP 
source will travel throughout the same path. Also, the path 
failure detection can be done using detection protocol such as 
Bidirectional Forwarding Detection (BFD) [16]. As explained 
in [22], BFD establishes connections between two routers, 
ingress and egress nodes, to monitor the traffic paths. 

We now propose a scheme for securing MATE, called S- 
MATE (Secure Multipath Adaptive Traffic Engineering). The 
basic idea of S-MATE can be described by Equation (9). S- 
MATE inherits the traffic engineering components described 
in the previous section and in References [10] and [9]. 

Without loss of generality, assume that the network traffic 
between a pair of ingress and egress nodes is transmitted 
in k edge disjoint paths, each of which carries different 
packets. The disjoint paths are already established between the 
core nodes using any provisioning mechanism. Our proposed 
solution will protect these disjoint paths in case a failure occurs 
in one (or more) particular link(s) throughout one (or more) 
paths. 

The transmission of ingress (source) packets is achieved in 
rounds. For simplicity, we assume that the number of edge 
disjoint paths and the number of rounds in one transmission 
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session are equal. Otherwise, the total number of rounds can 
be divided into k separate rounds. There are two types of 
packets: 

i) Plain Packets: Packets P lJ sent without coding, in which 
the ingress node does not need to perform any coding 
operations. For example, in case of packets sent without 
coding, the ingress node Ni sends the following packet 
to the egress node N^: 

packet N n h (l D N x l ° ,t 3 s ), for i = 1, 2, .., k, i ^ j. (10) 

The plain data x %3 is actually the encryption of the 
message m' J obtained by using any secure symmetric en- 
cryption algorithm [ I ]. That is, x l] = Encyptk eyi (ni 11 ), 
where keyi is a shared symmetric key between Ni and 
N h . 

ii) Encoded Packets: Packets y % sent with encoded data, in 
which the ingress node N\ sends other incoming data. In 
this case, the ingress node Ni sends the following packet 
to egress node Nh'. 




packet jv, N h (ID 



N, 



3-1 



,i 3-1 



E : 

i=3 + l 



The encoded packet will be used in case any of the 
working paths is compromised. The egress node will be 
able to detect the compromised data, and can recover it 
by using the data sent in the protection path. 
Lemma 4: The S-MATE scheme is optimal against a single 
link attack. 

What we mean by optimal here is that the encoding and 
decoding operations are achieved over the binary field with 
the least computational overhead. That is, one cannot find a 
better scheme than this proposed encoding scheme in terms of 
encoding operations. Indeed, one single protection path is used 
in case of a single attack path or failure. The transmission is 
done in rounds (time slots), and hence linear combinations of 
data must be from the same round time. This can be achieved 
by using the time slot that is included in each packet sent by 
the ingress node. 

Lemma 5: The network capacity between the ingress node 
and the egress node is given by k — 1 in the case of one single 
attack path. 

A. Encoding Process 

There are several scenarios in which the encoding operations 
can be achieved. The encoding and decoding operations will 
depend mainly on the network topology, i.e., how the senders 
and receivers are distributed in the network. 

• The encoding operation is done at only one ingress node 
Ni. In this case, N will prepare and send the encoded 
data over L\ h to the receiver Nh- 

• We assume that k packets will be sent in every transmis- 
sion session from the ingress node. Also, if the number 
of incoming packets is greater than k, then a modulo 
function is used to moderate the outgoing traffic in k 
different packets. Each packet will be sent in one unique 
path. 



Fig. 3. Working and protection edge disjoint paths between two core nodes. 
The protection path carries encoded packets from all other working paths 
between ingress and egress nodes. 



Incoming packets with large sizes will be divided into 
small chunks of equal size. 



(H) B. Decoding Process 



The decoding process is done in a similar way as explained 
in the previous work shown in [4] and [3]. 

We assume that the ingress node N assigns the paths 
that will carry plain data as shown in Fig. 3. In addition, 
Ni will encode the data from all incoming traffic and send 
it in one path. This will be used to protect any single 
link attacks/failure. The objective is to withhold rerouting 
the signals or the transmitted packets due to link attacks. 
However, we provide strategies that utilize network coding 
and reduced capacity at the ingress nodes. We assume that 
the source nodes (ingress) are able to perform encoding 
operations and the receiver nodes (ogress) are able to perform 
decoding operations. 

One of S-MATE's objectives is to minimize the delay of 
the transmitted packets. So, the packets from one IP address 
will be received in order in one path. The following are the 
key features of S-MATE. 

« The traffic from the ingress node to the egress node is 
secured against eavesdropper and intruders. 

« No extra paths in addition to the existing network edge 
disjoint paths are needed to secure the network traffic. 

• It can be implemented without adding new hardware or 
network components. 

The following example illustrates the plain and encoded data 
transmitted from five senders to five receivers. 

Example 1: Let Ni and Nh be two core network nodes (a 
sender and receiver) in a cloud network. Equation (12) explains 
the plain and encoded data sent in five consecutive time slots 
from the sender to the receiver. In the first time slot, the first 
connection carries encoded data, and all other connections 
carry plain data. Furthermore, the encoded data is distributed 
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these coefficients is by using the following two vectors: 



cycle 
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rounds 


1 2 3 4 5 
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L lh 

L lh 

T 4 
n lh 
T 5 
^lh 


y 1 x 11 x 12 x 13 x 14 
x 21 y 2 x 22 x 23 x 24 
x 31 x 32 y 3 x 33 x 34 
x 41 x 42 x 43 y 4 x 44 
x^^ x^^ x^*^ x^^ y 







(12) 



The encoded data y 3 , for 1 < j < 5, is sent as 

3-1 5 

y> = J2x ij ~ 1 + E xij - 

i—1 i=j-\-l 



(13) 



We notice that every message has its own time slot. Hence, 
the protection data is distributed among all paths for fairness. 

VI. A Strategy Against two attacked Paths 

In this section, we propose a strategy against two attacked 
paths (links), i.e., securing MATE against two-path attacks. 
The strategy is achieved by using network coding and dedi- 
cated paths. Assume we have n connections carrying data from 
an ingress node to an egress node. All connections represent 
disjoint paths. 

We will provide two backup paths to secure against any 
two disjoint paths, which might experience any sort of attacks. 
These two protection paths can be chosen by using network 
provisioning. The protection paths are fixed for all rounds per 
session from the ingress node to the egress node, but they 
may vary among sessions. For example, the ingress node Ni 
transmits a message x lt to the egress node Nh through path 
L\ h at time t e s in round time I in session S. This process is 
explained in Equation (14) as follows: 





cycle 1 
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All yj's are defined as 
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= E <4* u 
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E 



(14) 



(15) 



The coefficients a\ and b\ are chosen over a finite field F q 
with q > ri—2; see [4], [5] for more details. One way to choose 
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(16) 



Therefore, the coded data is 



it 

y J = 



and y 



k-i 
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mod n-2g.it 



(17) 



E <* 

In the case of two failures, the receivers will be able to 
solve two linearly independent equations with two unknown 
variables. For instance, assume the two failures occur in paths 
number two and four. Then, the receivers will be able to 
construct two equations with coefficients 



1 

a 



1 



Therefore, we have 



„2i 



2£ . 3 U 

ax + ax . 



(18) 
(19) 



One can multiply the first equation by a and subtract the two 
equations to obtain the value of x 41 . 

Note that the encoded data symbols y^ £ and y M are fixed 
for one session, but they are varied for other sessions. This 
means that the path L\ h is dedicated to send all encoded data 



,y J 



Lemma 6: The network capacity of the protection strategy 
against two-path attacks is given by n — 2. 

There are three different scenarios for two-path attacks, 
which can be described as follows: 

i) If the two-path attacks occur in the backup protection 
paths IA, and Lf h , then no recovery operations are 
required at the egress node. 

ii) If the two-path attacks occur in one backup protection 
path, say L\ h , and one working path L\ h , then recovery 
operations are required. 

iii) If the two-path attacks occur in two working paths, then 
in this case the two protection paths are used to recover 
the lost data. The idea of recovery in this case is to build 
a system of two linearly independent equations with two 
unknown variables. 

VII. Multiple Protection Paths Using S-MATE 

In this section, we present S-MATE against t attacked paths. 
We adopt the same notations as in the previous sections. 
Assume also that the total number of attacks is t, and they 
happen on arbitrary t paths from the ingress node to the egress 
node. 

Let to = and hence we have to rounds per cycle. 

The encoding operations of NPS-T against t attacks/failures 
are described by (20). We can see that yg in general is given 
by 



(3-1)* n 

ye = E + E 



£ i 



i=l i=jt + l 

for (j-l)t+l<£< jt, l<j<n. (21) 
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(20) 



Fig. 4. The encoding scheme of t link failures, m ■ 
are chosen over F q , for q > n — t + 1. 



\n/t], 1 < j < m and 1 < £ < t. t out of the n connections carry encoded data. The coefficients 



A. Encoding Operations 

Assume that each connection path Li has a unit capacity 
from an ingress source s; to an egress receiver rj. The data 
sent from the source Sj to the receiver is transmitted in 
rounds. Under NPS-T, in every round n — t paths are used to 
carry new data (xl), and t paths are used to carry protected 
data units. There are t protection paths. Therefore, to treat all 
connections fairly, there will be n/t rounds in a cycle, and in 
each round the capacity is given by n — t from the ingress 
node to the egress node. 

We consider the case in which all symbols x\ belong to 
the same round. The first t sources transmit the first encoded 
data units y\, 2/2, • • • > Vu and in the second round, the next t 
sources transmit yt+x, Vt+2, ■ ■ ■ 1 Viu an d so on - The ingress 
and egress nodes must keep track of the round numbers. Let 
ID Si and x Si be the ID and data initiated by the source Sj. 
Assume the round time j in cycle 5 is given by t J s , Then, 
the source Sj will send packet Si on the working path which 
includes 



Packet Si = (ID 3i ,xi,4). 



(22) 



Also, the source Sj, which transmits on a protection path, will 
send a packet packet s . : 



Packet s . = (ID S3 ,yj,t e s ), 
where is defined as 



(23) 



O-i)* 



l i 



E 

1=1 i=jt + l 

for (j - l)t + 1 < £ < jt, l<j<n 



Hence, the protection paths are used to protect the data 
transmitted in round I, which are included in the x\ data units. 
So, we have a system of t independent equations at each round 
time that will be used to recover at most t unknown variables. 

The strategy NPS-T is a generalization of protecting against 
a single path failure shown in the previous section in which 
t protection paths are used instead of one protection path in 
case of one failure. 

Theorem 7: Let n be the total number of connections from 
the ingress node to the egress node. The capacity of NPC 
defined over F q against t path attacks is given by 



Cm = (n - t)/(n) 



B. Proper Coefficients Selection 



(25) 



One way to select the coefficients a^ 



in each round such 

that we have a system of t linearly independent equations is 
by using the matrix H shown in Eq. (26). Let q be the order 
of a finite field, and a be the q th root of unity. Then, we can 
use this matrix to define the coefficients of the senders as: 



H 



1 
1 
1 

1 a 1 



1 

Q 
™2 



1 



v 2(t-l) 



1 

a n ~ 

2(n- 



Q 



„(t-l)(n-l) 



(26) 



(24) 



We make the following assumptions about the encoding oper- 
ations. 

1) Clearly, if we have one failure 4 = 1, then all coefficients 
will be one. The first sender will always choose the unit 
value. 
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2) If we assume t failures, then yi, 1/2, ■ ■ ■ , yt are written as: 

n n 

yi = E x h y*= E a(l ~ 1)x l ( 2? ) 

i=t+l 
n 

% = E « <(, ' _1) m ° d ( 28 ) 

i=t+l 

The previous equation gives the general theme to choose 
the coefficients at any particular round in any cycle. However, 
the encoded data yj's are defined as shown in (28). In other 
words, for the first round in cycle one, the coefficients of the 
plain data x\ , X2 , ■ ■ ■ , Xt are set to zero. 

VIII. Network Protection Using Distributed 
Capacities and QoS 

In this section, we develop a network protection strategy 
in which some connection paths (network traffic) have high 
priorities (less bandwidth and high demand). Let k be the 
set of available connections (disjoint paths from ingress to 
egress nodes carrying network traffic). Let m be the set 
of rounds in every cycle. We assume that all connection 
paths might not have the same priority demand and working 
capacities. The assigned priority itself can be done by using 
management software. This can also be achieved by looking 
at the packet headers and checking what kind of traffic they 
carry. Also, the priority can depend on the source IP address. 
Connections that carry applications with multimedia traffic 
have higher priorities than those of applications carrying data 
traffic. Therefore, it is required to design network protection 
strategies based on the traffic and sender priorities. 

Consider that available working connections k may use their 
bandwidth assignments in asymmetric ways. Some connec- 
tions are less demanding in terms of bandwidth requirements 
than other connections that require full capacity frequently. 
Therefore, connections with less demand can transmit more 
protection packets, while other connections demand more 
bandwidth, and can therefore transmit fewer protection packets 
throughout transmission rounds. Let m be the number of 
rounds and tf be the time of transmission in a cycle <5 at round 
i. For a particular cycle i, let t be the number of protection 
paths against t link failures or attacks that might affect the 
working paths. We will design a network protection strategy 
against t arbitrary link failures as follows. Let the source 
Sj send di data packets and pi protection packets such that 
dj + pj = m. That is, 

k 

Y,(di+Pi) = km. (29) 
i=i 

In general, we do not assume that di = dj and pi = pj . 
The encoded data y %l is given by 

y u = E xH - < 31 > 

We assume that the maximum number of attacks/failures 
that might occur in a particular cycle is t. Hence, the number 
of protection paths (paths that carry encoded data) is t. The 



QoS S-MATE Scheme 
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(30) 



selection of the working and protection paths in every round 
is done by using a demand-based priority function at the 
senders's side. It will also depend on the traffic type and 
service provided on these protection and working connections. 
See Fig. 5 for ingress and egress nodes with five disjoint 
connections. 

In Eq. (30), every connection i is used to carry di unencoded 
data di (working paths) and pi encoded data 

y %1 , y l2 , . . . , y lpi (protection paths) such that di + pi = in. 

Lemma 8: Let t be the number of connection paths carry- 
ing encoded data in every round. The network capacity CV is 
then given by 

C^ = k- 1. (32) 

Proof: The proof is forward straight from the fact that t 
protection paths exist in every round among the k available 
disjoint paths, and hence k — t working paths are available 
throughout all m rounds. ■ 

IX. Practical Aspects 

The network protection strategy against a link failure is 
deployed in two processes: encoding and decoding operations. 
The encoding operations are performed at the ingress router, 
which will send the encoded data depending on the adapted 
strategy throughout the available multipaths. The packets are 
sent in rounds. Each packet is marked by using the current 
round time and the path number. This is achieved till all 
packets are sent throughout all paths. 

The decoding operations are performed at the receiver 
side (egress router), which will apply XOR operations to all 
incoming traffic to recover the lost packets in case of a single 
link failure. If the receivers can tolerate a large amount of 
delay as in the case of storage files, then, the S-MATE strategy 
can be used. For applications that cannot tolerate packet delays 
(delay sensitive traffic) such as multimedia or TV streams, the 
S-MATE strategy can be used. We also note that the delay 
will occur only when a failure occurs in the protection paths. 

The transmission is done in rounds, and hence linear com- 
binations of data have to be from the same round. This can 
be achieved by using the round time that is included in each 
packet sent by a sender. 
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Relay nodes 




Fig. 5. Working and protection edge disjoint paths between two core nodes 
(ingress and egress nodes). Every path L; carries encoded and plain packets 
depending on the traffic priority pi. 



The core routers will manage the available multipaths by 
using network management software. In this case, the number 
of link disjoint paths are known and provisioned in advance. 
Furthermore, the routers will decide which protection strate- 
gies will be used depending on the network conditions and 
number of failures. 



X. Conclusion 

In this paper, we have proposed the S-MATE scheme (secure 
multipath adaptive traffic engineering) for operational net- 
works. We have utilized network coding of transmitted packets 
to protect the traffic between two network core nodes (routers, 
switches, etc.) that could exist in a cloud network. Our assump- 
tion is based on the fact that core network nodes share multiple 
edge disjoint paths. S-MATE can secure network traffic against 
single link attacks/failures by adding redundancy in one of the 
operational paths between the sender and receiver. It can also 
be used to secure network traffic against two and multiple 
attacks/failures. The proposed scheme can be built to secure 
operational networks including optical and multipath adaptive 
networks. In particular, it can provide security services at the 
IP and data link layers. 
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